The NTP daemon and utilities
dbacec4466ee70248db634b110bfad8a2b74cd82..c054b85192ea340529fc9a659cac7ea6b893b50e
2014-12-20 CentOS Sources
debrand ntp-4.2.6p5-19.el7_0
c054b8 diff | tree
2014-12-20 CentOS Sources
import ntp-4.2.6p5-19.el7_0
6d61af diff | tree
4 files added
1 files modified
289 ■■■■■ changed files
SOURCES/ntp-4.2.6p5-cve-2014-9293.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/ntp-4.2.6p5-cve-2014-9294.patch 108 ●●●●● patch | view | raw | blame | history
SOURCES/ntp-4.2.6p5-cve-2014-9295.patch 110 ●●●●● patch | view | raw | blame | history
SOURCES/ntp-4.2.6p5-cve-2014-9296.patch 14 ●●●●● patch | view | raw | blame | history
SPECS/ntp.spec 22 ●●●●● patch | view | raw | blame | history
SOURCES/ntp-4.2.6p5-cve-2014-9293.patch
New file
@@ -0,0 +1,35 @@
diff -up ntp-4.2.6p5/ntpd/ntp_config.c.cve-2014-9293 ntp-4.2.6p5/ntpd/ntp_config.c
--- ntp-4.2.6p5/ntpd/ntp_config.c.cve-2014-9293    2014-12-19 16:24:18.297578337 +0100
+++ ntp-4.2.6p5/ntpd/ntp_config.c    2014-12-19 16:24:18.311578368 +0100
@@ -1866,13 +1866,16 @@ config_auth(
         req_hashlen = digest_len;
 #endif
     } else {
-        int    rankey;
+        unsigned char rankey[16];
+
+        if (ntp_crypto_random_buf(rankey, sizeof (rankey))) {
+            msyslog(LOG_ERR, "ntp_crypto_random_buf() failed.");
+            exit(1);
+        }
-        rankey = ntp_random();
         req_keytype = NID_md5;
         req_hashlen = 16;
-        MD5auth_setkey(req_keyid, req_keytype,
-            (u_char *)&rankey, sizeof(rankey));
+        MD5auth_setkey(req_keyid, req_keytype, rankey, sizeof(rankey));
         authtrust(req_keyid, 1);
     }
diff -up ntp-4.2.6p5/ntpd/ntpd.c.cve-2014-9293 ntp-4.2.6p5/ntpd/ntpd.c
--- ntp-4.2.6p5/ntpd/ntpd.c.cve-2014-9293    2014-12-19 16:24:02.000000000 +0100
+++ ntp-4.2.6p5/ntpd/ntpd.c    2014-12-19 16:24:18.298578339 +0100
@@ -593,6 +593,7 @@ ntpdmain(
     get_systime(&now);
     ntp_srandom((int)(now.l_i * now.l_uf));
+    ntp_crypto_srandom();
 #if !defined(VMS)
 # ifndef NODETACH
SOURCES/ntp-4.2.6p5-cve-2014-9294.patch
New file
@@ -0,0 +1,108 @@
diff -up ntp-4.2.6p5/include/ntp_random.h.orig ntp-4.2.6p5/include/ntp_random.h
--- ntp-4.2.6p5/include/ntp_random.h.orig    2009-12-09 08:36:35.000000000 +0100
+++ ntp-4.2.6p5/include/ntp_random.h    2014-12-19 16:01:32.450628801 +0100
@@ -1,6 +1,9 @@
 #include <ntp_types.h>
+void ntp_crypto_srandom(void);
+int ntp_crypto_random_buf(void *buf, size_t nbytes);
+
 long ntp_random (void);
 void ntp_srandom (unsigned long);
 void ntp_srandomdev (void);
diff -up ntp-4.2.6p5/libntp/ntp_random.c.orig ntp-4.2.6p5/libntp/ntp_random.c
--- ntp-4.2.6p5/libntp/ntp_random.c.orig    2009-12-09 08:36:36.000000000 +0100
+++ ntp-4.2.6p5/libntp/ntp_random.c    2014-12-19 16:04:32.069016676 +0100
@@ -481,3 +481,63 @@ ntp_random( void )
     }
     return(i);
 }
+
+/*
+ * Crypto-quality random number functions
+ *
+ * Author: Harlan Stenn, 2014
+ *
+ * This file is Copyright (c) 2014 by Network Time Foundation.
+ * BSD terms apply: see the file COPYRIGHT in the distribution root for details.
+ */
+
+#include <openssl/err.h>
+#include <openssl/rand.h>
+
+int crypto_rand_init = 0;
+
+/*
+ * ntp_crypto_srandom:
+ *
+ * Initialize the random number generator, if needed by the underlying
+ * crypto random number generation mechanism.
+ */
+
+void
+ntp_crypto_srandom(
+    void
+    )
+{
+    if (!crypto_rand_init) {
+        RAND_poll();
+        crypto_rand_init = 1;
+    }
+}
+
+/*
+ * ntp_crypto_random_buf:
+ *
+ * Returns 0 on success, -1 on error.
+ */
+int
+ntp_crypto_random_buf(
+    void *buf,
+    size_t nbytes
+    )
+{
+    int rc;
+
+    rc = RAND_bytes(buf, nbytes);
+    if (1 != rc) {
+        unsigned long err;
+        char *err_str;
+
+        err = ERR_get_error();
+        err_str = ERR_error_string(err, NULL);
+        /* XXX: Log the error */
+
+        return -1;
+    }
+    return 0;
+}
+
diff -up ntp-4.2.6p5/util/ntp-keygen.c.orig ntp-4.2.6p5/util/ntp-keygen.c
--- ntp-4.2.6p5/util/ntp-keygen.c.orig    2014-12-19 15:27:38.375236349 +0100
+++ ntp-4.2.6p5/util/ntp-keygen.c    2014-12-19 15:58:00.006170042 +0100
@@ -263,6 +263,8 @@ main(
     ssl_check_version();
 #endif /* OPENSSL */
+    ntp_crypto_srandom();
+
     /*
      * Process options, initialize host name and timestamp.
      */
@@ -743,7 +745,14 @@ gen_md5(
             int temp;
             while (1) {
-                temp = ntp_random() & 0xff;
+                int rc;
+
+                rc = ntp_crypto_random_buf(&temp, 1);
+                if (-1 == rc) {
+                    fprintf(stderr, "ntp_crypto_random_buf() failed.\n");
+                    exit (-1);
+                }
+                temp &= 0xff;
                 if (temp == '#')
                     continue;
SOURCES/ntp-4.2.6p5-cve-2014-9295.patch
New file
@@ -0,0 +1,110 @@
2014-12-12 11:06:03+00:00, stenn@psp-fb1.ntp.org +12 -3
  [Sec 2667] buffer overflow in crypto_recv()
--- 1.168/ntpd/ntp_crypto.c    2014-11-15 04:41:02 +00:00
+++ 1.169/ntpd/ntp_crypto.c    2014-12-12 11:06:03 +00:00
@@ -820,15 +820,24 @@ crypto_recv(
              * errors.
              */
             if (vallen == (u_int)EVP_PKEY_size(host_pkey)) {
+                u_int32 *cookiebuf = malloc(
+                    RSA_size(host_pkey->pkey.rsa));
+                if (!cookiebuf) {
+                    rval = XEVNT_CKY;
+                    break;
+                }
+
                 if (RSA_private_decrypt(vallen,
                     (u_char *)ep->pkt,
-                    (u_char *)&temp32,
+                    (u_char *)cookiebuf,
                     host_pkey->pkey.rsa,
-                    RSA_PKCS1_OAEP_PADDING) <= 0) {
+                    RSA_PKCS1_OAEP_PADDING) != 4) {
                     rval = XEVNT_CKY;
+                    free(cookiebuf);
                     break;
                 } else {
-                    cookie = ntohl(temp32);
+                    cookie = ntohl(*cookiebuf);
+                    free(cookiebuf);
                 }
             } else {
                 rval = XEVNT_CKY;
2014-12-12 11:13:40+00:00, stenn@psp-fb1.ntp.org +16 -1
  [Sec 2668] buffer overflow in ctl_putdata()
--- 1.190/ntpd/ntp_control.c    2014-11-15 04:41:02 +00:00
+++ 1.191/ntpd/ntp_control.c    2014-12-12 11:13:40 +00:00
@@ -801,6 +801,10 @@ static    char *reqend;
 static    char *reqpt;
 static    char *reqend;
+#ifndef MIN
+#define MIN(a, b) (((a) <= (b)) ? (a) : (b))
+#endif
+
 /*
  * init_control - initialize request data
  */
@@ -1316,6 +1320,7 @@ ctl_putdata(
     )
 {
     int overhead;
+    unsigned int currentlen;
     overhead = 0;
     if (!bin) {
@@ -1338,12 +1343,22 @@ ctl_putdata(
     /*
      * Save room for trailing junk
      */
-    if (dlen + overhead + datapt > dataend) {
+    while (dlen + overhead + datapt > dataend) {
         /*
          * Not enough room in this one, flush it out.
          */
+        currentlen = MIN(dlen, dataend - datapt);
+
+        memcpy(datapt, dp, currentlen);
+
+        datapt += currentlen;
+        dp += currentlen;
+        dlen -= currentlen;
+        datalinelen += currentlen;
+
         ctl_flushpkt(CTL_MORE);
     }
+
    memmove((char *)datapt, dp, (unsigned)dlen);
     datapt += dlen;
     datalinelen += dlen;
2014-12-12 11:19:37+00:00, stenn@psp-fb1.ntp.org +14 -0
  [Sec 2669] buffer overflow in configure()
--- 1.191/ntpd/ntp_control.c    2014-12-12 11:13:40 +00:00
+++ 1.192/ntpd/ntp_control.c    2014-12-12 11:19:37 +00:00
@@ -3290,6 +3290,20 @@ static void configure(
     /* Initialize the remote config buffer */
     data_count = reqend - reqpt;
+
+    if (data_count > sizeof(remote_config.buffer) - 2) {
+        snprintf(remote_config.err_msg,
+             sizeof(remote_config.err_msg),
+             "runtime configuration failed: request too long");
+        ctl_putdata(remote_config.err_msg,
+                strlen(remote_config.err_msg), 0);
+        ctl_flushpkt(0);
+        msyslog(LOG_NOTICE,
+            "runtime config from %s rejected: request too long",
+            stoa(&rbufp->recv_srcadr));
+        return;
+    }
+
     memcpy(remote_config.buffer, reqpt, data_count);
     if (data_count > 0
         && '\n' != remote_config.buffer[data_count - 1])
SOURCES/ntp-4.2.6p5-cve-2014-9296.patch
New file
@@ -0,0 +1,14 @@
2014-12-12 11:24:22+00:00, stenn@psp-fb1.ntp.org +1 -0
  [Sec 2670] Missing return; from error clause
--- 1.350/ntpd/ntp_proto.c    2014-11-21 11:06:57 +00:00
+++ 1.351/ntpd/ntp_proto.c    2014-12-12 11:24:22 +00:00
@@ -1089,6 +1089,7 @@ receive(
                 fast_xmit(rbufp, MODE_ACTIVE, 0,
                     restrict_mask);
                 sys_restricted++;
+                return;
             }
         }
SPECS/ntp.spec
@@ -1,7 +1,7 @@
Summary: The NTP daemon and utilities
Name: ntp
Version: 4.2.6p5
Release: 18%{?dist}
Release: 19%{?dist}
# primary license (COPYRIGHT) : MIT
# ElectricFence/ (not used) : GPLv2
# kernel/sys/ppsclock.h (not used) : BSD with advertising
@@ -89,6 +89,14 @@
Patch20: ntp-4.2.6p5-noservres.patch
# ntpbz #2506
Patch21: ntp-4.2.6p5-refreshroute.patch
# ntpbz #2666
Patch22: ntp-4.2.6p5-cve-2014-9294.patch
# ntpbz #2665
Patch23: ntp-4.2.6p5-cve-2014-9293.patch
# ntpbz #2667
Patch24: ntp-4.2.6p5-cve-2014-9295.patch
# ntpbz #2670
Patch25: ntp-4.2.6p5-cve-2014-9296.patch
# handle unknown clock types
Patch50: ntpstat-0.2-clksrc.patch
@@ -198,6 +206,10 @@
%patch19 -p1 -b .pwcipher
%patch20 -p1 -b .noservres
%patch21 -p1 -b .refreshroute
%patch22 -p1 -b .cve-2014-9294
%patch23 -p1 -b .cve-2014-9293
%patch24 -p1 -b .cve-2014-9295
%patch25 -p1 -b .cve-2014-9296
# ntpstat patches
%patch50 -p1 -b .clksrc
@@ -409,9 +421,15 @@
%{ntpdocdir}/html
%changelog
* Wed Jun 18 2014 Jim Perrin <jperrin@centos.org> - 4.2.6p5-18.el7.centos
* Fri Dec 19 2014 CentOS Sources <bugs@centos.org> - 4.2.6p5-19.el7.centos
- rebrand vendorzone
* Fri Dec 19 2014 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-19
- don't generate weak control key for resolver (CVE-2014-9293)
- don't generate weak MD5 keys in ntp-keygen (CVE-2014-9294)
- fix buffer overflows via specially-crafted packets (CVE-2014-9295)
- don't mobilize passive association when authentication fails (CVE-2014-9296)
* Tue Feb 11 2014 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-18
- disable monitor in default ntp.conf (#1047856)